[Snyk] Fix for 5 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

  • package.json
  • package-lock.json

• Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
  Find out more.

Vulnerabilities that will be fixed

With an upgrade:

Severity	Issue	Breaking Change	Exploit Maturity
	Arbitrary File Write via Archive Extraction (Zip Slip) npm:adm-zip:20180415	No	Mature
	Cross-site Scripting (XSS) via Data URIs npm:marked:20170112	No	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:mime:20170907	Yes	No Known Exploit
	Regular Expression Denial of Service (ReDoS) npm:ms:20170412	Yes	No Known Exploit

Commit messages

Package name: adm-zip

The new version differs by 50 commits.

• 80d259f Version bump
• 3f00a03 Fixed [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#176
• 650e752 Fixed wrong date on files (issue [Snyk-dev Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#203)
• d01fa8c Fixed bugs introduced with 0.4.9
• c0cc85d Merge pull request [Snyk Update] New fixes for 2 vulnerable dependency paths snyk-labs/nodejs-goof#219 from jontore/master
• 39c83a2 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#209 from poshta1900/fix
• b94c5dd Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#227 from hhaidar/master
• c95c553 Merge pull request [Snyk Update] New fixes for 16 vulnerable dependency paths snyk-labs/nodejs-goof#228 from jmcollin78/patch-1
• cda668c Fix issue [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#218
• 0f2cb41 Fix octal literals so they work in strict mode
• 888931d To support strict mode use 0o prefix to octal numbers
• 89b6f67 Update package.json
• 9592298 Update README.md
• ce59e5a Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#215 from grnd/master
• 38cb4a4 fix: resolve both target and entry path
• 18c3d31 Update package.json
• 666adec Update package.json
• 499d59b Update package.json
• 62f6400 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#212 from aviadatsnyk/master
• 6f4dfeb fix: prevent extracting archived files outside of target path
• ef0abe6 add try-catch around fs.writeSync
• e116bc1 Merge pull request [Snyk Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#208 from pmuens/patch-1
• 12d2099 Fix data accessing example in README
• 032566b Merge pull request [Snyk-dev Update] New fixes for 1 vulnerable dependency path snyk-labs/nodejs-goof#204 from BridgeAR/master

See the full diff

Package name: express

The new version differs by 250 commits.

• f974d22 4.16.0
• 8d4ceb6 docs: add more information to installation
• c0136d8 Add express.json and express.urlencoded to parse bodies
• 86f5df0 deps: [email protected]
• 4196458 deps: [email protected]
• ddeb713 tests: add maxAge option tests for res.sendFile
• 7154014 Add "escape json" setting for res.json and res.jsonp
• 628438d deps: update example dependencies
• a24fd0c Add options to res.download
• 95fb5cc perf: remove dead .charset set in res.jsonp
• 44591fe deps: vary@~1.1.2
• 2df1ad2 Improve error messages when non-function provided as middleware
• 12c3712 Use safe-buffer for improved Buffer API
• fa272ed docs: fix typo in jsdoc comment
• d9d09b8 perf: re-use options object when generating ETags
• 02a9d5f deps: proxy-addr@~2.0.2
• c2f4fb5 deps: [email protected]
• 673d51f deps: [email protected]
• 5cc761c deps: parseurl@~1.3.2
• ad7d96d deps: [email protected]
• e62bb8b deps: etag@~1.8.1
• 70589c3 deps: content-type@~1.0.4
• 9a99c15 deps: accepts@~1.3.4
• 550043c deps: [email protected]

See the full diff

Package name: marked

The new version differs by 13 commits.

• 2a92083 Release 0.3.7
• 753a7bd 0.3.7
• 635e45c Merge pull request feat: add open redirect and xss vulns in code snyk-labs/nodejs-goof#960 from chjj/github-templates
• d24427e Add issue template
• 8f9d0b7 Merge pull request [Snyk-dev] Security upgrade npmconf from 0.0.24 to 1.0.1 snyk-labs/nodejs-goof#844 from chjj/data_link_fix
• cd2f6f5 added data: link fix to prevent xss
• 38f1727 Merge pull request [Snyk-local] Fix for 3 vulnerabilities snyk-labs/nodejs-goof#728 from nehero/patch-1
• eddec20 v0.3.6
• fd0d1a2 Merge pull request [Snyk] Fix for 3 vulnerable dependencies snyk-labs/nodejs-goof#592 from matt-/xss_html_entities
• 0fa05b6 Merge pull request [Snyk] Fix for 37 vulnerabilities #1 from rsp/fix/xss_html_entities_semicolon
• 31c7799 add optional semicolon in html entities regex
• 6470e8b Update readme example to reflect defaults
• 2cff859 added explicit matching for HTML entities to prevent XSS

See the full diff

Package name: mongoose

The new version differs by 250 commits.

• 23efdcf chore: release 4.10.2
• f627ba5 fix: bump ms -> 2.0.0
• b8263d6 fix: bump mquery for regexp vulnerability
• 84b3e28 docs: improve projection descriptions re: #1534
• ca5e53c chore: now working on 4.10.2
• 3474d8d chore: release 4.10.1
• dc6f887 fix(populate): handle doc.populate() with virtuals
• a6dd311 test(populate): repro #5240
• 6a2d405 fix(aggregate): handle sorting by text score correctly
• b386516 test(aggregate): repro #5258
• 54f624e Merge branch 'master' of github.com:Automattic/mongoose
• 5038635 fix(schema): enforce that _id is never null
• f7cbbdc docs: list a couple intermediate changes in changelog
• d951bed chore: now working on 4.10.1
• 274ed0f docs: add missing ignore
• 43752e8 chore: release 4.10.0
• 142fbba Merge pull request #5270 from Automattic/4.10
• 4bc7b3e docs: add missing ignores to sharding plugin
• e8c8789 Merge branch '4.10' of github.com:Automattic/mongoose into 4.10
• 9d4c9d4 Merge branch 'master' into 4.10
• b8f0dd8 Merge pull request #5253 from Automattic/5145
• f3805fa Merge pull request #5252 from Automattic/4569
• 8ba7869 Merge pull request #5268 from clozanosanchez/patch-2
• 373bb6f Update clone method to include indexes

See the full diff

Package name: ms

The new version differs by 19 commits.

• 9b88d15 2.0.0
• 94b995c Invalidated cache for slack badge
• bcf5715 Bumped dependencies to the latest version
• b1eaab7 Ignored logs coming from npm
• caae298 Limit str to 100 to avoid ReDoS of 0.3s ([Snyk] Fix for 33 vulnerable dependency paths snyk-labs/nodejs-goof#89)
• b83b36d chore(package): update eslint to version 3.19.0 ([Snyk] Fix for 33 vulnerable dependency paths snyk-labs/nodejs-goof#88)
• 3f2a4d7 chore(package): update husky to version 0.13.3 ([Snyk] Fix for 33 vulnerable dependency paths snyk-labs/nodejs-goof#86)
• 7daf984 1.0.0
• ee91f30 More suitable name for file containing tests
• e818c35 Removed browser testing
• c9b1fd3 Test on LTS version of Node
• 389840b Badge for XO removed
• 1fbbe97 Removed component specification
• 57b3ef8 Use `prettier` and `eslint`
• 94068ea Removed XO
• 4b7f48f chore(package): update serve to version 5.0.4 ([Snyk] Fix for 33 vulnerable dependency paths snyk-labs/nodejs-goof#85)
• bd49cec chore(package): update xo to version 0.18.0 ([Snyk] Fix for 33 vulnerable dependency paths snyk-labs/nodejs-goof#84)
• d4a94b1 chore(package): update serve to version 5.0.3 (feat: added support for CloudFoundry snyk-labs/nodejs-goof#83)
• 923eee1 chore(package): update serve to version 5.0.2 ([Snyk Update] New fixes for 2 vulnerable dependency paths snyk-labs/nodejs-goof#82)

See the full diff

With a Snyk patch:

Severity	Issue	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) npm:ms:20151024	No Known Exploit

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:

🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic